Vulnerabilities in Televes COAXDATA GATEWAY – CVE-2017-6532
– Advisory –
Title: Televes COAXDATA GATEWAY 1Gbps – Priv Escalation
Author: Pedro Andujar (Tarlogic)
Televes COAXDATA GATEWAY Introduction
Televes COAXDATA GATEWAY 1Gbps it is a router+WiFI device used by both, end-user and professional Internet Services
providers. According to the manufacturer:
“The CoaxData system enables the use of coaxial, PLC or fibre optics networks to distribute Internet services
to a certain number of points, providing a non-invasive distribution system that preserves the quality of the transmission.
CoaxData Home WiFi (ref. 769301) transforms the data signal distributed by the coaxial system in a wireless signal
through an Ethernet interface gateway or “Low Power WiFi”. Also it can be configured as a router and/ or Access Point.”
This device is widely used by WiMAX providers, Rural Internet access, etc … mostly in Spain,
Austria and Portugal..
Televes COAXDATA GATEWAY VULNERABILITIES – TECHNICAL DESCRIPTION
Televes COAXDATA gateway contains two default users, (Admin) to manage the device using either Web or ssh, and
a restricted one (username) with access to more basic features (local network only and WiFi).
Several ways have been identified that allow the restricted user to acquire or modify the password of the Administrator,
obtaining therefore access to the rest of credentials and being able to get root access to the underlying operating system
BusyBox, from where you can take full control of the device.
It has been proven that a large number of these devices are exposed on the internet, and they only change the administrator
password, leaving by default the restricted account (username / 123456), which allows with the issues described here, to gain
full control of the device and allowing access to other devices of the subdyacent internal network.
Ref.769301 CoaxData 1Gbps-HDTV Coax+Wifi
doc-wifi-hgw_v1.02.0014 2016-02-02-14:01 – CD Firmware Version 4.20
Televes COAXDATA GATEWAY Vulnerability – ISSUE #1
Name: Backup Containing cleartext credentials is accessible by restricted user
This issue is in fact two, first one related to the lack of encryption when storing the user provided credentials wthin the
configuration file, second one regarding the lack of access control to the backup file that should be restricted to admin user.
This way after logging in with the default “username” credentials, you will only need to access the URL shown below, in order to
find cleartext users and passwords of WiFI, WPS pin value, WAN (internet provider) and the device Admin account:
pandujar@fogheaven:~$ curl https://192.168.2.1/mib.db | grep -i Password
InternetGatewayDevice.DeviceInfo.X_ATH-COM_TeleComAccount.Password -m 1 -d Changeme1 (Admin password)
InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANPPPConnection.1.Password -m 1 -d Changeme2 (ISP Password)
InternetGatewayDevice.X_ATH-COM_Account.UserPassword -m 1 -d 123456 (username password)
Televes COAXDATA GATEWAY Vulnerability – ISSUE #2
Name: Arbitrary password change
This is once more related insufficient access control and checks performed on the client side. Once logged in as the restricted user,
we can modify the Admin user password using the following request:
In fact, the password change form, actually allows to modify any other property of the device configuration, for instance it would also
allow to Enable SNMP:
Televes COAXDATA GATEWAY Vulnerability – ISSUE #3
Name: Unrestricted backup restore
The restoring backup and restart features lacks of access control, so the restricted user could modify the configuration
by setting the credentials of his choice taking advantate of this functionality:
POST /ReadFile.cgi HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0
Content-Type: multipart/form-data; boundary=—————————66789582480853432558488077
Content-Disposition: form-data; name=”cfgfile”; filename=”s”
InternetGatewayDevice.DeviceInfo.X_ATH-COM_TeleComAccount.Password -m 1 -d !dSR4ever
Content-Disposition: form-data; name=”LoadCfgFile”
Then performing the following request:
And finally rebooting the device:
Televes COAXDATA GATEWAY Vulnerability – ISSUE #4
Name: Credentials sent by querystring
Both, when logging in and changing password, credentials are passed through GET request (querystring), therefore they are cached
in the browsing history causing them to potentially been revealed by accident:
Televes COAXDATA GATEWAY Vulnerability – ISSUE #5
Name: Weak session mechanism, based on source ip
After performing the authentication process no token or cookies are assigned to the client browser, but the server would recognize the user based
to its source ip address. With this mechanism, if a user is authenticated through internet, anyone who shares his browsing ip (ex: corporate proxies),
would has access to the device with the very same account of the legitimate user.
* 19/Feb/2017: – Vulns found.
* 27/Feb/2017: – Manufacturer contacted through their contact web-form.
* 28/Feb/2017: – Technical details sent on a 2nd contact attempt.
* 01/Mar/2017: – Manufacturer acknowledge the issues and stats that restricted user would be removed from future releases.
* 13/Jul/2017: – Follow up email related to resolution. No response.
* 20/Jul/2017: – Public Disclosure.
It is recommended as a preventive measure to change the user name and password of the restricted user that comes by default, in addition to
block the administration web interface and SSH on the internet or untrusted networks.
Televes COAXDATA GATEWAY references
– COAXDATA GATEWAY 1Gbps
– Televes About US